Submit a ticketCall us

Training Class Getting Started with SolarWinds Backup - February 28

This course offers customers an introduction to SolarWinds Backup, focusing on configuring the backup technology, taking backups, data restoration and data security. It is a great primer and will get you up to speed quickly on SolarWinds Backup.
Register for class.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Collecting Windows Filtering Platform (WFP) events in LEM

Collecting Windows Filtering Platform (WFP) events in LEM

Updated: September 15, 2017

Windows Filtering Platform (WFP) logs firewall and IPsec related events to the System Security Log. These alerts are background events that require additional LEM resources to process and are not recommended for an optimized LEM deployment.

About Windows WFP events and LEM performance

By default, WFP logging is disabled in the Windows Security Log connector. Tuning out Windows noise in group policies has the following advantages:

  • Reduces the space that these events occupy in the Security Event log
  • Reduces network activity
  • Reduces demand on LEM system resources (such as CPU, memory, and disk space)

The Windows Security Log connector stopped collecting WFP data in LEM version 6.2.

Configure LEM to collect WFP events (Optional)

If necessary, you can enable WFP event logging in LEM.

SolarWinds strongly recommends that you keep WFP logging turned off.

To collect WFP events in LEM, configure the Windows Filtering Platform Events connector. Enabling this connector will result in LEM collecting a huge volume of data . To manage this data, see the following sections.

Improve LEM performance by tuning Windows WFP events

If you collect WFP events in LEM, SolarWinds recommends tuning WFP in your Active Directory group policies to decrease the load that background events place on the LEM Manager. The following tables describe alerts located in the Event Distribution Policy in LEM Manager. You can filter out these events by clearing the appropriate check boxes in the Console, Database, Warehouse, and Rules columns. LEM will process the remaining events.

In LEM, the terms event and alert are interchangeable .

SolarWinds recommends disabling WFP alerts using Group or Local Policy.

The ProviderSID value in the following alerts match the Windows Security Auditing Event ID format where Event ID is one of the Windows Event IDs listed in the following table.


Alert Name Windows Event ID
TCPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156, 5157, 5158, 5159
RoutingTrafficAudit 5152, 5156
PPTPTrafficAudit 5152


Table of Descriptions by Event ID

Event ID Brief Description
5152 Windows Filtering Platform blocked a packet
5154 Windows Filtering Platform permitted an application or service to listen on a port for incoming connections
5156 Windows Filtering Platform allowed a connection
5157 Windows Filtering Platform blocked a connection
5158 Windows Filtering Platform permitted a bind to a local port
5159 Windows Filtering Platform blocked a bind to a local port
Last modified